- Resolves: RHEL-67912 Add DNS over TLS Support, require bind 32:9.18.33-2 and bind-dyndb-ldap 11.11-1
Signed-off-by: Thomas Woerner <twoerner@redhat.com>
- Resolves: RHEL-72580 A slow HSM can cause IPA server installation to fail setting up certificate tracking
Signed-off-by: Florence Blanc-Renaud <flo@redhat.com>
- Resolves: RHEL-75658 Include latest fixes in python3-ipatests package
- Resolves: RHEL-74466 kinit with external idp user is failing
Signed-off-by: Florence Blanc-Renaud <flo@redhat.com>
- Resolves: RHEL-72580
A slow HSM can cause IPA server installation to fail setting up certificate tracking
- Resolves: RHEL-71964
KRA installation failure caused by a certificate mismatch in NSS DB and configuration file
- Resolves: RHEL-71262
Include latest fixes in python3-ipatests package
- Resolves: RHEL-67190
CVE-2024-11029 ipa: Administrative user data leaked through systemd journal
Signed-off-by: Florence Blanc-Renaud <flo@redhat.com>
- Resolves: RHEL-70759
Fix typo in ipa-migrate log file i.e 'Privledges' to 'Privileges'
- Resolves: RHEL-70477
ipa-server-upgrade fails after established trust with ad
- Resolves: RHEL-70253
Upgrade to ipa-server-4.12.2-1.el9 OTP-based bind to LDAP without enforceldapotp is broken
- Resolves: RHEL-69926
add support for python cryptography 44.0.0
- Resolves: RHEL-69635
All user groups are not being included during HSM token validation
Signed-off-by: Florence Blanc-Renaud <flo@redhat.com>
- Resolves: RHEL-69300 Support GSSAPI in Cockpit on IPA servers
- Resolves: RHEL-68447 ipa trust-add fails in FIPS mode with an internal error has occurred
- Resolves: RHEL-57674 Use RSNv3 and enable cert pruning by default in RHEL 10.0
Signed-off-by: Florence Blanc-Renaud <flo@redhat.com>
- Resolves: RHEL-66599 vault-add fails in FIPS mode
- Resolves: RHEL-66598 ipa-migrate should also migrate DNS forward zones
- Resolves: RHEL-66597 ipa-migrate in stage mode fails with TypeError: 'NoneType' object is not iterable
- Resolves: RHEL-66595 Sentences truncated in man pages
- Resolves: RHEL-66592 IDP configuration in the IdM WebUI shows Organization is required
- Resolves: RHEL-65650 ipa-server-install with setup-dns fails 'job for ipa.service failed because the control process exited with error code'
Signed-off-by: Florence Blanc-Renaud <flo@redhat.com>
- Related: RHEL-59777 Rebase Samba to the latest 4.21.x release
- Resolves: RHEL-59659 ipa dns-zone --allow-query '!198.18.2.0/24;any;' fails with Unrecognized IPAddress flags
- Resolves: RHEL-61636 Uninstall ACME separately during PKI uninstallation
- Resolves: RHEL-61723 Include latest fixes in python3-ipatests packages
- Resolves: RHEL-63325 Last expired OTP token would be considered as still assigned to the user
Signed-off-by: Florence Blanc-Renaud <flo@redhat.com>
- Resolves: RHEL-47294 SID generation task is failing when SELinux is in Enforcing mode
- Resolves: RHEL-56472 Include latest fixes in python3-ipatests packages
- Resolves: RHEL-56917 RFE add a tool to quickly detect and fix issues with IPA ID ranges
- Resolves: RHEL-56965 Backport test fixes in python3-ipatests
- Resolves: RHEL-58067 ipa replication installation fails in FIPS mode on rhel10
- Resolves: RHEL-59265 Default hbac rules are duplicated on remote server post ipa-migrate in prod-mode
- Resolves: RHEL-59266 Also enable SSSD's ssh service when enabling sss_ssh_knownhosts
Signed-off-by: Florence Blanc-Renaud <flo@redhat.com>
- Resolves: RHEL-53501 adtrustinstance only prints issues in check_inst() and does not log them
- Resolves: RHEL-52305 Unconditionally add MS-PAC to global config
- Resolves: RHEL-52223 ipa-replica/server-install with softhsm needs to check permission/ownership of /var/lib/softhsm/tokens to avoid install failure
- Resolves: RHEL-51937 Include latest fixes in python3-ipatests packages
- Resolves: RHEL-50805 ipa-migrate -Z with invalid cert options fails with 'ValueError: option error'
- Resolves: RHEL-49805 misleading warning for missing ipa-selinux-nfast package on luna hsm h/w
- Resolves: RHEL-49592 'Unable to log in as uid=admin-replica.testrealm.test,ou=people,o=ipaca' during replica install
- Resolves: RHEL-4879 RFE - Keep the configured value for the "nsslapd-ignore-time-skew" after a "force-sync"
Signed-off-by: Florence Blanc-Renaud <flo@redhat.com>
- Resolves: RHEL-49452 Include latest fixes in python3-ipatests packages
- Resolves: RHEL-49433 Adjust "ipa config-mod --addattr ipaconfigstring=EnforceLDAPOTP" to allow for non OTP users in some cases
- Resolves: RHEL-49432 ipa-migrate stage-mode is failing with error: Modifying a mapped attribute in a managed entry is not allowed
- Resolves: RHEL-49413 ipa-migrate with -Z option fails with ValueError: option error
- Resolves: RHEL-47157 ipa-migrate -V options fails to display version
- Resolves: RHEL-47148 Pagure #9629: Syntax error uninstalling the selinux-luna subpackage
- Resolves: RHEL-40892 ipa-server-install: token_password_file read in kra.install_check after calling hsm_validator in ca.install_check
Signed-off-by: Florence Blanc-Renaud <flo@redhat.com>
- Resolves: RHEL-46607 kdc.crt certificate not getting automatically renewed by certmonger in IPA Hidden replica
- Resolves: RHEL-46606 ipa-client rpm post script creates always ssh_config.orig even if nothing needs to be changed
- Resolves: RHEL-46605 IPA Web UI not showing replication agreement for non-admin users
- Resolves: RHEL-46592 [RFE] Allow IPA SIDgen task to continue if it finds an entity that SID can't be assigned to
- Resolves: RHEL-46556 Include latest fixes in python3-ipatests packages
- Resolves: RHEL-42705 PSKC.xml issues with ipa_otptoken_import.py
Signed-off-by: Florence Blanc-Renaud <flo@redhat.com>
- CVE-2024-3183 freeipa: user can obtain a hash of the passwords of all domain users and perform offline brute force
Resolves: RHEL-32233
- CVE-2024-2698 freeipa: delegation rules allow a proxy service to impersonate any user to access another target service
Resolves: RHEL-40881
Signed-off-by: Julien Rische <jrische@redhat.com>
The "runpath" check of rpminspect raises an error related
to DT_RPATH using /usr/lib64/samba for /usr/lib64/samba/pdb/ipasam.so.
This can be waived as ipasam.so is a plugin for smdb and
requires to have DT_RPATH set.
Add the path /usr/lib64/samba to the list of allowed DT_RPATH
to ignore the issue.
Signed-off-by: Florence Blanc-Renaud <flo@redhat.com>
- Resolves: RHEL-39144 Rebase ipa to the latest 4.12 version for RHEL 10
- Resolves: RHEL-30537 ipa: freeipa: argument injection into the username field of the /ipa/session/login_password requests
Add upstream fixes
- Fix memory leak in Kerberos KDC driver
- Fix possible crash in IPA command line tool when accessing Kerberos credentials
- Compatibility fix for Python Cryptography 42.0.0
- Fix CA affinity when installing replica
Signed-off-by: Alexander Bokovoy <abokovoy@redhat.com>
- timezone shift in handling certificates (due to py3.12 adaptation)
- 'reason' vs 'Reason' in PKI revocation JSON API response
- allow removal of minlength attribute from a custom password policy
Signed-off-by: Alexander Bokovoy <abokovoy@redhat.com>
Update Fedora part of the spec file as we don't support building 4.11+
for versions below Fedora 39.
Signed-off-by: Alexander Bokovoy <abokovoy@redhat.com>
- Depend on selinux-policy-38.28-1.fc39
- Add SELinux policy for passkey_child to be used without ipa-otpd
- Related: rhbz#2238474
Signed-off-by: Alexander Bokovoy <abokovoy@redhat.com>
